I'm trying to export existing resources in my GCP project to terraform files by using GHA. It's failing due to stdin issues with parameters.
To obtain the output terraform file with all GCP resources.
It seems that the gcloud command is not detecting input parameters.
resources:
runs-on: ubuntu-latest
permissions:
contents: 'read'
id-token: 'write'
steps:
- name: Authenticate via Workload Identity Federation
id: wif
uses: 'google-github-actions/[email protected]'
with:
workload_identity_provider: ${{ env.WIF_PROVIDER }}
service_account: ${{ env.WIF_SA }}
- name: 'Set up Cloud SDK'
uses: 'google-github-actions/[email protected]'
- name: 'Export terraform'
id: export_terraform
run: |
gcloud --quiet beta resource-config bulk-export --resource-format=terraformerror in 'config-connector' version '1.93.0': cannot supply input on stdin with the 'project' parameter
ERROR: (gcloud.beta.resource-config.bulk-export) The bulk-export command could not finish correctly.
### Additional information
_No response_
Hi @geret1
Can you please provide the debug logs? The error says that it's prompting for the "--project" flag, but that fails since it's not an interactive environment.
The project should be set by the auth action, and the debug logs will help determine why that's not happening.
Hi @geret1 - It looks like the gcloud command requires a --project flag and it is explicitly not inherited from core/project. Therefore, you'll need to pass in a project ID as a flag:
- name: 'Export terraform'
id: export_terraform
run: |
gcloud --quiet beta resource-config bulk-export --project ${{ env.PROJECT_ID // TODO }} --resource-format=terraformYep, totally weird. In local with gcloud auth login and owner role works without problems but with WIF something strange is happening.
Putting verbosity to debug in gcloud I see the following command:
DEBUG: Executing command: ['/opt/hostedtoolcache/gcloud/410.0.0/x64/bin/config-connector', '--oauth2-token', '***................................................................................................................................................................................................................................................................................................................................................................................................................................', 'bulk-export', '--on-error', 'ignore', '--project', 'my-project, '--resource-format', 'hcl', '--iam-format', 'none']
In local differs the oauth2-token (the dots I mean)
DEBUG: Executing command: ['./google-cloud-sdk/bin/config-connector', '--oauth2-token', '***', 'bulk-export', '--on-error', 'ignore', '--project', 'my-project', '--resource-format', 'hcl', '--iam-format', 'none']
Hi @geret1 that definitely feels like a gcloud bug. I would recommend filing an issue with the gcloud team: https://cloud.google.com/sdk/docs/getting-support
Oh, you could have google-github-actions/auth generate you an access_token that you pass in to the CLI manually as a workaround.
- uses: 'google-github-actions/[email protected]'
id: 'auth'
with:
format: 'access_token'
- name: 'Export terraform'
id: export_terraform
run: |
gcloud --quiet beta resource-config bulk-export --oauth2-token=${{ steps.auth.outputs.access_token }} --resource-format=terraform| Owner Name | google-github-actions |
| Repo Name | setup-gcloud |
| Full Name | google-github-actions/setup-gcloud |
| Language | TypeScript |
| Created Date | 2019-11-05 |
| Updated Date | 2023-03-23 |
| Star Count | 1505 |
| Watcher Count | 65 |
| Fork Count | 548 |
| Issue Count | 11 |
| Issue Title | Created Date | Updated Date |
|---|